Compare commits

..

No commits in common. "519858db1d963ab7f534543ed9edefcf2a5830cc" and "1c47d232dacce2ad30a455aada55ddf70207dc32" have entirely different histories.

10 changed files with 67 additions and 104 deletions

View File

@ -45,11 +45,6 @@
- name: "Include ednz_cloud.hashistack.vault"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.vault
vars:
vault_enable_auto_unseal: true
vault_unseal_url: "{{ vault_configuration['api_addr'] }}"
vault_unseal_tls_verify: false
vault_unseal_keys: "{{ _credentials.vault['keys'] | default([]) }}"
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
ednz_cloud.hashistack.vault_init:

View File

@ -11,11 +11,11 @@ module: ednz_cloud.hashistack.consul_acl_bootstrap
short_description: Bootstraps ACL for a Consul cluster.
version_added: "0.1.0"
version_added: "1.0.0"
description:
- This module bootstraps ACL (Access Control List) for a Consul cluster. It performs the ACL bootstrap operation,
creating the initial tokens needed for secure communication within the cluster.
creating the initial tokens needed for secure communication within the cluster.
options:
api_addr:
@ -40,10 +40,10 @@ author:
EXAMPLES = r"""
# Example: Bootstrap ACL for a Consul cluster
- name: Bootstrap ACL for Consul cluster
ednz_cloud.hashistack.consul_acl_bootstrap:
api_addr: 127.0.0.1
scheme: http
port: 8500
ednz_cloud.hashistack.consul_acl_bootstrap:
api_addr: 127.0.0.1
scheme: http
port: 8500
"""
RETURN = r"""

View File

@ -60,15 +60,15 @@ state:
type: dict
returned: always
sample:
- AccessorID: "b780e702-98ce-521f-2e5f-c6b87de05b24",
- SecretID: "3f4a0fcd-7c42-773c-25db-2d31ba0c05fe",
- Name: "Bootstrap Token",
- Type: "management",
- Policies: null,
- Global: true,
- CreateTime: "2017-08-23T22:47:14.695408057Z",
- CreateIndex: 7,
- ModifyIndex: 7
- AccessorID: "b780e702-98ce-521f-2e5f-c6b87de05b24",
- SecretID: "3f4a0fcd-7c42-773c-25db-2d31ba0c05fe",
- Name: "Bootstrap Token",
- Type: "management",
- Policies: null,
- Global: true,
- CreateTime: "2017-08-23T22:47:14.695408057Z",
- CreateIndex: 7,
- ModifyIndex: 7
"""
from ansible.module_utils.basic import AnsibleModule

View File

@ -11,13 +11,11 @@ module: ednz_cloud.hashistack.vault_init
short_description: Manages the initialization of HashiCorp Vault.
version_added: "0.1.0"
description:
- This module initializes HashiCorp Vault, ensuring that it is securely set up for use.
requirements:
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
options:
api_url:

View File

@ -7,70 +7,66 @@ __metaclass__ = type
DOCUMENTATION = r"""
---
module: ednz_cloud.hashistack.vault_unseal
module: my_test
short_description: Unseals a Vault cluster.
short_description: This is my test module
version_added: "0.1.0"
# If this is part of a collection, you need to use semantic versioning,
# i.e. the version is of the form "2.5.0" and not "2.4".
version_added: "1.0.0"
description:
- This module unseals a Vault cluster by submitting the necessary unseal keys. It checks whether the Vault is sealed and performs the unseal operation if needed. The response will reflect the state after the last unseal key is submitted.
requirements:
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
description: This is my longer description explaining my test module.
options:
api_url:
description: The URL of the Vault API.
name:
description: This is the message to send to the test module.
required: true
type: str
tls_verify:
description: Whether to verify TLS certificates.
new:
description:
- Control to demo if the result of this module is changed or not.
- Parameter description can be a list as well.
required: false
type: bool
default: true
key_shares:
description: List of unseal keys required to unseal the Vault.
required: false
type: list
default: []
# Specify this value according to your collection
# in format of namespace.collection.doc_fragment_name
# extends_documentation_fragment:
# - my_namespace.my_collection.my_doc_fragment_name
author:
- Bertrand Lanson (@ednz_cloud)
- Your Name (@yourGitHubHandle)
"""
EXAMPLES = r"""
# Example: Unseal a Vault cluster
- name: Unseal Vault cluster
ednz_cloud.hashistack.vault_unseal:
api_url: "https://127.0.0.1:8200"
tls_verify: true
key_shares:
- "key1"
- "key2"
- "key3"
# Pass in a message
- name: Test with a message
my_namespace.my_collection.my_test:
name: hello world
# Example: Unseal Vault cluster with no TLS verification
- name: Unseal Vault cluster without TLS verification
ednz_cloud.hashistack.vault_unseal:
api_url: "https://127.0.0.1:8200"
tls_verify: false
key_shares:
- "key1"
- "key2"
# pass in a message and have changed true
- name: Test with a message and changed output
my_namespace.my_collection.my_test:
name: hello world
new: true
# fail the module
- name: Test failure of the module
my_namespace.my_collection.my_test:
name: fail me
"""
RETURN = r"""
state:
description: Information about the state of the Vault unseal operation.
type: dict
# These are examples of possible return values, and in general should use other names for return values.
original_message:
description: The original name param that was passed in.
type: str
returned: always
sample:
sealed: true,
t: 3,
n: 5,
progress: 2,
version: "0.6.2"
sample: 'hello world'
message:
description: The output message that the test module generates.
type: str
returned: always
sample: 'goodbye'
"""
from ansible.module_utils.basic import AnsibleModule
import traceback

View File

@ -42,15 +42,6 @@ vault_storage_configuration:
file:
path: "{{ vault_data_dir }}"
#############################
# auto-unseal configuration #
#############################
vault_enable_auto_unseal: false
vault_unseal_url: "https://127.0.0.1:8200"
vault_unseal_tls_verify: true
vault_unseal_keys: []
##########################
# listener configuration #
##########################

View File

@ -36,10 +36,8 @@
register: _vault_current_version
- name: "Vault | Download and install vault binary"
when:
- _vault_current_version is not defined
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
- not ansible_check_mode
when: _vault_current_version is not defined
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
block:
- name: "Vault | Set vault package name to download"
ansible.builtin.set_fact:
@ -79,6 +77,7 @@
until: _vault_binary_archive is succeeded
retries: 5
delay: 2
check_mode: false
- name: "Vault | Create temporary directory for archive decompression"
ansible.builtin.file:

View File

@ -36,10 +36,8 @@
when: _vault_service_need_reload
- name: "Vault | Start service: {{ vault_service_name }}"
ansible.builtin.include_tasks: rolling_restart.yml
when:
- _vault_service_need_restart
- "hostvars[host_item].inventory_hostname == inventory_hostname"
with_items: "{{ ansible_play_batch }}"
loop_control:
loop_var: host_item
ansible.builtin.service:
name: "{{ vault_service_name }}"
state: restarted
throttle: 1
when: _vault_service_need_restart

View File

@ -5,13 +5,13 @@
path: "{{ dir_source_item.dest }}"
recurse: true
state: directory
mode: "0755"
mode: "0775"
- name: "Vault | Create extra directory sources"
ansible.builtin.file:
path: "{{ dir_source_item.dest }}/{{ item.path }}"
state: directory
mode: "0755"
mode: "0775"
with_community.general.filetree: "{{ dir_source_item.src }}/"
when: item.state == 'directory'

View File

@ -1,14 +0,0 @@
---
- name: "Vault | Start service: {{ vault_service_name }}"
ansible.builtin.service:
name: "{{ vault_service_name }}"
state: restarted
- name: "Vault | Unseal node"
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ vault_unseal_url }}"
tls_verify: "{{ vault_unseal_tls_verify }}"
key_shares: "{{ vault_unseal_keys }}"
when:
- vault_enable_auto_unseal
- vault_unseal_keys|length > 0